Closed
Description
What version of Go are you using (go version
)?
go version go1.12 windows/amd64
Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (go env
)?
go env
Output
$ go env set GOARCH=amd64 set GOBIN=C:\git\go\bin set GOCACHE=C:\Users\xxx\AppData\Local\go-build set GOEXE=.exe set GOFLAGS= set GOHOSTARCH=amd64 set GOHOSTOS=windows set GOOS=windows set GOPATH=c:\git\go set GOPROXY= set GORACE= set GOROOT=C:\Go set GOTMPDIR= set GOTOOLDIR=C:\Go\pkg\tool\windows_amd64 set GCCGO=gccgo set CC=gcc set CXX=g++ set CGO_ENABLED=1 set GOMOD=C:\git\notgo\engineering\veritasapi\go.mod set CGO_CFLAGS=-g -O2 set CGO_CPPFLAGS= set CGO_CXXFLAGS=-g -O2 set CGO_FFLAGS=-g -O2 set CGO_LDFLAGS=-g -O2 set PKG_CONFIG=pkg-config set GOGCCFLAGS=-m64 -mthreads -fmessage-length=0 -fdebug-prefix-map=C:\Users\xxx\AppData\Local\Temp\go-build238261902=/tmp/go-build -gno-record-gcc-switches
What did you do?
go mod init mymodule
this starts reading the current used glide.yaml to process project dependencies.
There are some imports in this go project that refer to a company located git-host which is accessible via git using private ssl certificates
for exampe in code:
import "oucompany.github.com/engineering/myrepo/package"
whereby in the glide.yaml we might have:
- package: github.ourcompany.local/engineering/go-utils repo: git@github.ourcompany.local:engineering/go-utils.git vcs: git subpackages: - env
What did you expect to see?
A properly initialized go.mod
What did you see instead?
errors/ exception thrown like:
$ go mod init veritasapi go: creating new go.mod: module veritasapi go: copying requirements from glide.lock go: converting glide.lock: stat github.mycompany.local/engineering/protos@7462cb9dbaba285e3c931bc1edc0b62ebe8d005e: git fetch -f https://github.mycompany.local/engineering/protos.git refs/heads/*:refs/heads/* refs/tags/*:refs/tags/* in c:\git\go\pkg\mod\cache\vcs\5626dfafc13719b661e5e62c892d3563fa39030a15a5ca1fdcad3e06591ea342: exit status 128: fatal: unable to access 'https://github.mycompany.local/engineering/protos.git/': schannel: next InitializeSecurityContext failed: Unknown error (0x80092013) - The revocation function was unable to check revocation because the revocation server was offline.
Also tried to change the .gitconfig setting:
[url "ssh://git@github.ourcompany.local:engineering/"] insteadOf = https://github.ourcompany.local/engineering/
but this does not show any noticable difference.
Also ensured the repository is available/readable on console:
>git ls-remote git@github.ourcompany.local:engineering/mygitrepo outputs latest commit hashes
Question: how come
go mod init
is trying to access the git repository using https instead of via ssl / git@etc..?
Metadata
Metadata
Assignees
Labels
Type
Projects
Milestone
Relationships
Development
No branches or pull requests
Activity
agnivade commentedon Feb 27, 2019
See https://golang.org/doc/faq#git_https.
/cc @bcmills
MelleKoning commentedon Feb 27, 2019
Hi @agnivade thanks for that reference. As from the docs:
This has been tried but it seems the 'insteadOf' workaround to explicitly use SSH is not functioning as mentioned in the original issue remark.
[ update ]
turns out that only providing the domain name actually makes a difference. so:
(without trailing slash or /engineering)
This still shows the following error though:
Even when providing this part in the gitconfig, to give a hint on the used private SSL certificate:
what would be the proper settings to point to the private ssl certificate or gitconfig?
bcmills commentedon Feb 27, 2019
Do you mean that the
go
command needs to trust SSL certificates from a private CA, or that thego
command needs to present a client certificate to the server? (If the latter, is this the same issue as #30119?)bcmills commentedon Feb 27, 2019
Presumably that's what the
go-import
tags served byhttps://github.ourcompany.local/engineering/protos?go-get=1
told it to use. (See also #30304.)You should be able to verify that by running
and checking for a
<meta name="go-import" […]>
tag.bcmills commentedon Feb 27, 2019
Did the
go mod init veritasapi
command actually fail, or did it emit some errors and write ago.mod
file anyway? (It should have done the latter; if not, please file a separate issue and mention #26603 in it.)MelleKoning commentedon Feb 27, 2019
It wrote a go.mod file anyway, because of other dependencies that it could find from public repositories like from public github.com.
on checking with curl, the https version returns:
This is fine, because of the gitconfig 'insteadOf' setting moves to the SSH git@ way of connecting.
Thus, using the SSH method returns no error:
Still, using go mod init does not seem to be able to make the SSH connection. Not entirely sure how to setup the certificate configured in github.ourcompany.local within gitconfig, or if more certificate-access would be needed.
bcmills commentedon Feb 27, 2019
No, that's not fine. There are two steps to fetching a module with a give path: first we resolve that path to a repo or module server path (via HTTPS), then we fetch the module from that server. If we can't resolve the path, then we have no way of knowing that we need to use
git
in the first place, let alone that we should use it with thessh
protocol.That means that your local machine needs to be configured to recognize the issuer of the private certificate. On Windows, I believe that you can use the MMC Certificates snap-in or the
Certmgr
tool for that, but that configuration is independent of the Go toolchain itself.If you can configure your certificates so that
curl […]?go-get=1
works, thencmd/go
should also work. Please getcurl
working and then let us know where you land.[-]go mod init fails to retrieve company.github.com ssl only repositories[/-][+]cmd/go: go mod init fails to retrieve company.github.com ssl only repositories[/+]MelleKoning commentedon Feb 27, 2019
@bcmills how come
does work and retrieves the company.github.com code from remote while
does not?
I did make sure I first executed a glide cc (to clean glide cache).
Is there a certain difference in retrieving code that exposes via that curl command? To clarify - I just do not know the underlying git commands the different go tools are using to get dependencies and what 'go mod init' would do differently than 'glide update', if anything.
2 remaining items
MelleKoning commentedon Mar 1, 2019
Addition:
Note: Everything is running outside of $GOPATH.
When in the gitconfig I set the following, changing sslBackend option from 'schannel' to 'openssl' and point to the generated .pem file with the server certificates:
then go mod init gives this failure:
However, when I take the git fetch command of one of the dependencies that go mod wants to execute, and try to execute that 'git fetch' on the command line myself I get the following message:
I'm not all too familiar with the connection details, but does 'git mod' not accept SSH keys/connections yet?
MelleKoning commentedon Mar 4, 2019
@agnivade @bcmills does the above provide enough information? Let me know if I can try anything else!
bcmills commentedon Mar 4, 2019
@MelleKoning, thanks for following up, and my apologies for the delayed response.
The
go
command does not have an equivalent tocurl
's--cacert
or--capath
flags. It uses only the certificates provided by the operating system itself, so the private CA forgithub.ourcompany.local
needs to be installed at the system level (that's what you needmmc
orCertmgr
for, as mentioned previously).When that is done, I would be surprised if you needed any of the explicit
ssl
configuration in.gitconfig
, since I would expect that Git also uses the system-level certificates by default.The choice between SSH and HTTPS is currently whatever is indicated in the response to
https://[…]?go-get=1
. (The proposal to allow the server to leave that choice up to the client is #30304, and the workaround in the meantime is to useinsteadOf
in your.gitconfig
as described in #26134 (comment).)MelleKoning commentedon Mar 5, 2019
Thanks @bcmills; I have installed the certificates from github.ourcompany.local in the windows root certificate store (computer trusted), but now getting a CERT_TRUST_REVOCATION_STATUS_UNKNOWN error.
> certutil -verify -urlfetch <certificatename.cer>
provides much more information and ends with:
I will ask our cloudops department in the company more information about this. Thank you for your feedback so far.
MelleKoning commentedon May 13, 2019
As of date: Company sticks with glide for go development as 'go mod' commands are not functioning for the ssh accessible private github.company.com endpoints.
agnivade commentedon May 25, 2019
@MelleKoning - Were you able to figure out the certificate error that you were facing ?
MelleKoning commentedon Jun 12, 2019
Hi @agnivade unfortunately not. a 'go mod init myname' keeps coming back with multiple of the following errors.
so we simply keep developing within the go path.
mvdan commentedon Jun 15, 2021
Closing old issues that still have the WaitingForInfo label where enough details to investigate weren't provided. Feel free to leave a comment with more details and we can reopen.